440 likes | 610 Views
Design: Delivering Secure Solutions. Michael Young ESRI Senior Enterprise Architect Certified Information Systems Security Professional (CISSP). Version 1.2. Agenda. Intro ESRI’s GIS Security Strategy Enterprise-wide Security Mechanisms Application Security
E N D
Design: Delivering Secure Solutions Michael Young ESRI Senior Enterprise Architect Certified Information Systems Security Professional (CISSP) Version 1.2
Agenda • Intro • ESRI’s GIS Security Strategy • Enterprise-wide Security Mechanisms • Application Security • Enterprise GIS Security Patterns • Current Security Trends • Scope of ESRI Security Efforts • ESRI’s Next Steps Supporting Secure Solutions
IntroGoals for this session • Communicate ESRI’s plans to meet your security needs • Open discussions to incorporate your input
IntroSecurity Industry Challenges • Service Oriented Architecture (SOA) • Virtualized systems • Cloud computing • Application vulnerabilities
IntroGeneral Security Principles • CIA Security Triad • Confidentiality • Prevent intentional or unintentional unauthorized disclosure • Integrity • Prevent unauthorized data modifications • Availability • Ensure reliable and timely access to data
IntroGeneral Security Principles • Defense in depth • Enterprise-Wide Initiative • Multiple Layers • Beyond Technology Solutions • Security zone based architecture
IntroGeneral Security Principles • Maintain Defenses Against Different Stages of Attack • Initial Compromise • Causing Damage • Long-Term Recognizance
ESRI’s Security StrategyTwo Reinforcing Trends Enterprise platform and services Discrete products and services ESRI Applications Applications … exploiting embedded and 3rd party security functionality … exploiting 3rd party security functionality Integrated systems with discretionary access Isolated Systems IT/Security … relying on product and solution security validation … relying on solution security validation
ESRI’s Security StrategyInterdependent Capabilities • Secure GIS products • ESRI develops products incorporating security industry best practices and are trusted across the globe to provide geospatial services that meet the needs of individual users and entire organizations • Secure GIS solution guidance • July release of Enterprise GIS Resource Center containing security best practice guidance and documentation
Enterprise-Wide Security MechanismsOverview • Authentication • Authorization • Filters • Encryption • Logging/Auditing
Enterprise-Wide Security MechanismsAuthentication • ArcGIS Authentication Options • Default of none • Local connection • IIS Web Server Authentication • JavaEE Container Managed • Server Token Service • Forms based • Multiple concurrent methods • ArcGIS 9.3 Token Service • Cross-Platform - .NET & Java • Cross-API – SOAP & REST • Cross-Product – Desktop, Explorer, Web Service and Applications • 3rd Party • Public Key Infrastructure (PKI) • Single Sign-On (SSO) • Windows Integrated • LDAP
Enterprise-Wide Security MechanismsAuthorization • Role Based Access Control (RBAC) • ESRI COTS • ArcGIS authorization across product lines to Service Level • Use ArcGIS Manager to assign access to services • Services can be grouped into folders which utilize inheritance to ease management • 3rd Party • RDBMS – Row Level or Feature Class Level • Multi-Versioned instances may significantly degrade RDBM performance • Alternative is SDE Views • Custom - Limit GUI • Rich Clients via ArcObjects • Web Applications • Check out sample code - Google: EDN Common Security • Try out Microsoft’s AzMan tool
Enterprise-Wide Security MechanismsFilters • 3rd Party • Firewalls • Reverse Proxy • Common implementation option • MS now has free reverse proxy code for IIS 7 (Windows 2008) • Looking into providing baseline filters • Web Application Firewall • Looking into providing baseline guidance for ModSecurity • Anti-Virus Software • Intrusion Detection / Prevention Systems • Custom • Limit applications able to access geodatabase
Enterprise-Wide Security MechanismsEncryption • 3rd Party • Network • IPSec (VPN, Internal Systems) • SSL (Internal and External System) • File Based • Operating System – BitLocker • GeoSpatially enabled PDF’s • Hardware (Disk) • RDBMS • Transparent Data Encryption • Low Cost Portable Solution - SQL Express 2008 w/TDE
Enterprise-Wide Security MechanismsLogging/Auditing • ESRI COTS • Geodatabase history may be utilized for tracking changes • JTX Workflow tracking of Feature based activities • ArcGIS Server Logging • Custom • ArcObjects component output GML of Feature based activities • 3rd Party • Web Server • RDBMS • OS
Application SecurityOverview • Rich Client Applications • Web Applications • Web Services • Online Services • Mobile
Application SecurityRich Client Applications • ArcObject Development Options • Record user-initiated GIS transactions • Fine-grained access control • Edit, Copy, Cut, Paste and Print • Interface with centrally managed security infrastructure (LDAP) • Integration with server Token Authentication Service • Windows native authentication • Client Server Communication • Direct Connect – RDBMS • Application Connect – SDE • HTTP Service – GeoData Service • SSL and IPSec Utilization
Application SecurityWeb Applications • ArcGIS Server Manager • Automates standard security configuration of web apps in ASP.NET and Java EE • E.g. Modifies web.config file of ASP.NET • Application Interfaces • .NET and Java ADF’s • Out of the box integration with Token Security service • REST API’s (JavaScript, Flex, Silverlight) • Can embed in URL – Simple • Better solution is dynamically generate token • Don’t forget to protect access to your client code
Application SecurityWeb Services • ArcGIS Server Manager • Set permissions on folders as well as individual services • Restricting access to some services but not others is only available through Internet connections • Can remove Local service requests to ArcGIS Server by emptying AGSUsers group • Secures access to all ArcGIS Server web interfaces • REST • Service directory is on by default, disable if you don’t want it browsable • SOAP • WS-Security can be addressed by 3rd party XML/SOAP gateways • OGC • KML
Application SecurityOnline Services • New ArcGIS Online Search and Share • Central resource for easily accessing, storing and sharing maps • A membership system • You control access to items you share • You are granted access to items shared by others • You join and share information using groups • Organizations self-administer their own users and groups • Site security similar in approach with other social networking sites • Not meant for highly confidential or proprietary data
Application SecurityMobile • ArcPad • Password protect and encrypt the AXF data file • Encrypt mobile device memory cards • Secure your ArcGIS Server environment with users and groups to limit who can publish ArcPad data • Secure your internet connection used for synchronizing ArcPad data • ArcGIS Mobile • Encrypt communication via HTTPS (SSL) or VPN tunnel to GeoData Service • Utilization of Token Service • Web Service Credentials • Consider utilization of Windows Mobile Crypto API • Third party tools for entire storage system
Secure GIS Patterns • ESRI is providing security implementation patterns to help solve recurring security problems in a proven, successful way • ESRI’s patterns leverage The National Institute of Standards and Technology (NIST) guidelines for securing information systems • Patterns are based on risk for : • Basic Security Risk Implementations • Standard Security Risk Implementations • Advanced Security Risk Implementations To prioritize information security and privacy initiatives, organizations must assess their business needs and risks
Secure GIS PatternsChoosing the appropriate Risk Level Pattern • How does a customer choose the right pattern? • Formal – NIST Security Categorization Process • Informal – Simple scenarios ESRI customers can relate to • Formal Pattern Selection • NIST SP 800-60 - Guide for Mapping Types of Information and Information Systems to Security Categories
Secure GIS PatternsInformation Pattern Selection Basic • Informal Pattern Selection • Basic Risk Pattern • No Sensitive data – Public information • All architecture tiers can be deployed to one physical box • Standard Risk Pattern • Moderate consequences for data loss or integrity • Architecture tiers are separated to separate systems • Potential need for Federated Services • Advanced Risk Pattern • Sensitive data • All components redundant for availability • 3rd party enterprise security components utilized Standard Advanced
Basic Secure GIS PatternsBasic Security • Common Basic Security Environment Attributes • Utilize data and API downloads from cloud computing environments • Secure services and web applications with ArcGIS Token Service • Separate internal systems from Internet access with DMZ • Utilize a Reverse Proxy to avoid DCOM across firewalls
Standard Secure GIS PatternsStandard Security • Common Standard Security Environment Attributes • Authentication/Authorization • No static storage of ArcGIS Token in application code • Multi-Factor authentication utilized for remote system access • Network • Partitioning system functions such as Web, Database and Management by VLANs • Servers have separate network connections for management traffic • Add Application Security Firewall (ex. ModSec) to Reverse Proxy Server • Utilize host-based firewalls on systems • Systems Management • Can utilize data from cloud computing environments, but have local copies • Avoid usage of internal clients consuming external services for API downloads • Redundant components for High Availability • Can utilize low cost load balancers such as MS NLB • Utilize Intrusion Prevention/Detection Systems • Implement least privilege • Ensure separation of duties • Lock down system ports, protocols, and services (Whitepaper available) • Standardize system images for clients and server (SMS) • Whitepaper available • Be aware of browser plug-in restrictions
Advanced Secure GIS PatternsAdvanced Security • Common Advanced Security Environment Attributes • Minimal reliance on external data/systems • Data Management • Separate datasets (e.g. Public, Employees, Subset of Employees) • Consider utilizing explicit labels on information, source and destination objects • Clustered Database for High Availability • Utilization of Transparent Data Encryption for storage of sensitive data • Authentication/Authorization • Utilize 3rd party security products for service and web application authentication and authorization • Utilize Public Key Infrastructure (PKI) certs • Multi-Factor Authentication required for Local Access, and for Remote system access Hardware Token Multi-Factor required • Network configuration • Redundant network connections between systems • Secure communication via IPSec between backend systems • Secure communication via SSL/TLS between Clients and Servers (Both web and Rich Clients) • Partitioning system functions such as Web, Database and Management by VLANs • Servers have separate network connections for management traffic • Deploy Network Access Control (NAC) tools to verify security configuration and patch level compliance before granting access to a network
Current Security TrendsOld-Fashioned DOS Attacks Still in Style • July 4th started off with a bang of 50,000 'zombies' triggering recent denial of service attacks • High profile U.S. Web sites affected include: • The White House site • The Department of Homeland Defense • The State and the U.S. Treasury • The Washington Post, among others • Based on old virus - MyDoom. • Patchwork of scripts – No coding needed • No attempt to avoid AV signatures • Sad truth on protecting your site from this • Batten the hatches, hunker down and work with your Internet Service Provider (ISP) to implement upstream filtering to cut down the massive online traffic overloading their network
Current Security TrendsRecent Survey’s • Increasing focus on degree to which security can be improved if applications used for business processes within enterprises were designed and programmed with fewer vulnerabilities to begin with • DHS - Build Security In • Consensus Audit Guidelines (CAG) • SafeCode • Application Firewalls have become commonplace with over ½ of organizations utilizing them CSI 2008 Survey
Current Security TrendsCloud Computing • A current IT hotspot • Be careful of security façades that can be bypassed • NIST Cloud Computing Security Whitepaper out soon • The only “secure cloud” right now are private clouds
Scope of ESRI Security EffortsCompliance and certifications • ESRI fully supports and tests product compatibility with FDCC (Federal Desktop Core Configuration) security settings • ESRI hosts FISMA certified and accredited low risk category environments • ESRI’s Security Patterns are based on NIST/FISMA guidance • Not provided as full certification compliance representations • ESRI software products are successfully deployed in high risk security environments • ESRI does not certify classified environment products and systems • Function is performed by the system owner • ESRI continues to evaluate the need for compliance and/or additional certifications
Scope of ESRI Security EffortsRegulations and Standards • ESRI patterns based on ISO / NIST guidance • Contain the backbone of most security regulations and standards • NIST Standards can operate as a baseline of security and then layer in applicable laws, regulations for compliance of an industry on top • Referred to as a Unified approach to information security compliance
Scope of ESRI Security EffortsNEW Enterprise GIS Resource Center Incorporates IT Foundation Architecture Guidance ESRI Provides GIS Best Practice Guidance
Scope of ESRI Security Efforts • ESRI provides security due diligence with our products and solutions, but is not a security software company • ESRI recognizes every security solution is unique • Ultimately, certifications and accreditations are based on a customers mission area and circumstance • Reference Implementations on Enterprise Resource Center • Validate for performance and security
Next Steps Supporting Secure Solutions • Your feedback and insight today are essential • Current security issues • Upcoming security requirements • Areas of concern not addressed today Contact Us At: est@esri.com
Session Evaluation Reminder Session Attendees: Please turn in your session evaluations. . . . Thank you
References • ESRI Enterprise GIS Resource Center Website • NEW JULY 2009 • Focused Enterprise GIS Technical Solutions • http://resources.esri.com/enterprisegis/ • Consensus Audit Guidelines • Released May 2009 (Version 2.0) • http://www.sans.org/cag/guidelines.php • SafeCode Guidelines • http://www.safecode.org/ • MS Application Architecture Patterns • Contains security guidance per application type • http://www.codeplex.com/AppArchGuide